How secure is Apple Pay?

Tim Cook introduced Apple Pay in the recent keynote. It’s Apple’s try to replace the traditional wallet. Or more precisely: Apple’s try to replace the credit card. Well, that’s an awesome idea! But how secure is it?
Let’s take a closer look.


Apple claims to not be able to look into each single transaction performed by Apple Pay. It’s just a transaction between the user, the merchant and the user’s bank. Let’s look into the details.

Data transferred to terminals via NFC

Apple Pay uses NFC to tranfer data to payment terminals. That’s a very convenient way to pay as you just have to hold the device near the contactless reader — you don’t even have to open an app.
Ok, cool — but are there any downsides? Well, the obvious ones first: Apple Pay is supported currently only by iPhone 6 and iPhone 6 Plus. This limitation comes from the NFC antenna available only in these new devices. Then there are technical issues. Charlie Miller gave a great presentation “Attacking NFC” back in 2012. It’s very scary. Beside that there are some not so obvious challenges too:


NFC was already around some time: Google Wallet as the most prominent example was already announced back in 2011. But consumers and merchants did not adopt it to make “it fly”. That will be quite challenging for Apple Pay. What’s Apple’s advantage? Google Wallet was limited to Google-Partner bank Citibank customers with a MasterCard. And it was limited to the carrier Sprint, too. So basically it was quite limited.
Apple choose another way and unveiled a broad partner system. And that’s crucial — and a very good starting point to lead to mass adoption.

Authentication with TouchID

So thats a big, big plus: TouchID. Let’s fade back: Passcode adoption was pretty low before introducing TouchID — for obvious reasons: TouchID is effective and easy to use. And for that it’s a great combination for Apple Pay authentication: It’s easy to use, secure and available right on your iPhone. A very good combination to approach a crucial and sensitive topic such as Authentication — and a big plus for the security of Apple Pay.

Storing credit cards in Passbook

When you buy a new iPhone 6 or iPhone 6plus, your credit card used can be automatically added to Apple Pay. Adding a new credit card is easy as well: Simply take a picture of it, and you are done — all details will be extracted automatically and stored on your device. But what exactly is stored?
Let’s focus on security: The biggest plus is that Apple Pay does not store the credit card number. Instead Apple Pay generates a device-only account number that is stored safely in the Secure Element (analyzed later on). And each time the user pays, Apple Pay uses a one-time payment number along with a dynamic security code basically replacing the static security code on the back of each traditional plastic credit card.
So that seems secure. But what happens when the device is lost? The user is able to suspend all the payments from the lost device simply by using Find My iPhone. As the credit card number is not stored on the device, there is no need to suspend the credit card when you lost your iPhone. A second plus in terms of useful security for Apple Pay.

Protecting data at rest with the Secure Element

The first and most important part: Apple pay does not store credit card numbers. It’s as simple and secure as that.
The “secure element” is a dedicated chip in iPhone 6 and Apple Watch to store credit cards. According to Apple’s documentation the credit card numbers are never stored on the device — and even not on their servers. Seems secure and as outlined above the solution is intuitive and easy to use. Transparancy of the technical details would be very welcome, we will keep an eye on that.

Merchant adoption?

Well, Apple started off with big names supporting Apple Pay: Walgreens, Staples, Bloomingdale’s and others. But I was wondering: What about other big names like f.e. Walmart? That seems a little bit tricky. NFC has been around for some time. And we had already seen some problems with it (f.e. Isis turning off NFC, Tesco dismisses NFC, etc.) Google is in the race for NFC for quite a while. And it seems very hard to win this game. Apple just entered with the iPhone 6 and iPhone 6 plus. Let’s see who will win. But with Apple entering the ring, there is already one winner: the customer. And with the broad cooperation network built before the launch of Apple Pay, this is a great starting point. Let’s see, how the market adopts Apple Pay.

Conclusion

Apple Pay is a secure and easy to use solution. The downsides come not from the solution itself, the major challenges arise from the “NFC ecosystem”:

  • Secure NFC data transfer mainly depends on the secure signal transport between the contactless reader and the device
  • Apple Pay is just supported by iPhone 6 and iPhone 6 plus.

But there are also clear upsides:

  • Apple Pay does a great job on not storing the credit card details on the device
  • PayPass, the major system behing NFC-based terminals run by MasterCard is the de-facto standard in Europe. Adoption there will be significantly higher then in the US (we will update actual numbers once they are available)

If you found this post interesting or helpful, follow me on twitter or like me on Facebook where we keep you updated about secure mobile app development :-)

Also make sure to check out SecureBeam — the app which applies strong encryption to your files.
Arriving very soon to iOS!

A single golf clap? Or a long standing ovation?

By clapping more or less, you can signal to us which stories really stand out.